diff --git a/static/js/web-install.js b/static/js/web-install.js
index aa117b76..1f623fad 100644
--- a/static/js/web-install.js
+++ b/static/js/web-install.js
@@ -28,6 +28,20 @@ async function unlockBootloader() {
     await fastboot.receive();
 }
 
+async function lockBootloader() {
+    const webusb = await Adb.open("WebUSB");
+
+    if (!webusb.isFastboot()) {
+        console.log("error: not in fastboot mode");
+    }
+
+    console.log("connecting with fastboot");
+
+    const fastboot = await webusb.connectFastboot();
+    await fastboot.send("flashing lock");
+    await fastboot.receive();
+}
+
 if ("usb" in navigator) {
     console.log("WebUSB available");
 
@@ -38,6 +52,10 @@ if ("usb" in navigator) {
     const unlockBootloaderButton = document.getElementById("unlock-bootloader");
     unlockBootloaderButton.disabled = false;
     unlockBootloaderButton.onclick = unlockBootloader;
+
+    const lockBootloaderButton = document.getElementById("lock-bootloader");
+    lockBootloaderButton.disabled = false;
+    lockBootloaderButton.onclick = lockBootloader;
 } else {
     console.log("WebUSB unavailable");
 }
diff --git a/static/web-install.html b/static/web-install.html
index afc6d56a..169969ee 100644
--- a/static/web-install.html
+++ b/static/web-install.html
@@ -138,6 +138,29 @@
                 of the volume keys to switch the selection to accepting it and the power button to
                 confirm.</p>
             </section>
+
+            <section>
+                <h2>Incomplete</h2>
+            </section>
+
+            <section id="locking-the-bootloader">
+                <h2><a href="#locking-the-bootloader">Locking the bootloader</a></h2>
+
+                <p>Locking the bootloader is important as it enables full verified boot. It also
+                prevents using fastboot to flash, format or erase partitions.  Verified boot will
+                detect modifications to any of the OS partitions and it will prevent reading any
+                modified / corrupted data. If changes are detected, error correction data is used
+                to attempt to obtain the original data at which point it's verified again which
+                makes verified boot robust to non-malicious corruption.</p>
+
+                <p>In the bootloader interface, set it to locked:</p>
+
+                <button id="lock-bootloader" disabled="disabled">Lock bootloader</button>
+
+                <p>The command needs to be confirmed on the device and will wipe all data. Use one
+                of the volume buttons to switch the selection to accepting it and the power button
+                to confirm.</p>
+            </section>
         </main>
         <footer>
             <a href="/"><img src="/logo.png" width="512" height="512" alt=""/>GrapheneOS</a>
